>there is also this online test tool :
>https://en.internet.nl/mail/gmail.com/1276778/
>https://en.internet.nl/mail/outlook.com/1276787/
>https://en.internet.nl/mail/proton.me/1276789/
Most of these online tools check inbound (the easy and marketing part) only.
Joachim
Gesendet: Mittwoch, 26. Juni 2024 14:11
An: postfix-users@postfix.org
Betreff: [pfx] Re: DANE and STS
On Wed, Jun 26, 2024 at 01:35:30PM +0200, Joachim Lindenberg via Postfix-users
wrote:
> I have done some testing via my own tool and published results on
> https://blog.lindenberg.one/Em
I have done some testing via my own tool and published results on
https://blog.lindenberg.one/EmailSecurityTest.
Gmx and web.de do support SMTP-DANE (with bugs), outlook and gmail don´t.
outlook and gmail also support MTA-STS at least partially. Proton support
SMTP-DANE inbound only. Yahoo
sql databases optimize for consistency instead of availability. And even if you
design your data model not to rely on joins, to use unique ids per node, and to
replicate both directions or disallow writes on the slave, at least MariaDB
failed on partitioning, and I didn´t want or tried to use
And the really hard part is to ensure those databases remain consistent with
network failures.
Cheers,
Joachim
-Ursprüngliche Nachricht-
Von: Wietse Venema via Postfix-users
Gesendet: Freitag, 14. Juni 2024 16:31
An: Postfix users
Betreff: [pfx] Re: distributed email system
Jeff Peng
Hello,
I am trying to obtain a SMTP command trace for a specific destination. I tried
with debug_peer_list and debug_peer_level, but it looked like not all commands
are included but lots of other information that were distracting.
Any tip?
The old recommendation to use Wireshark doesn´t work
and smtp_tls_security_level
On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users
wrote:
> > Viktor Dukhovni:
> > not sufficient market pressure to make it a priority.
> Unfortunately yes, not yet.
> > various load balancers would need to do online DNS
> Viktor Dukhovni:
> not sufficient market pressure to make it a priority.
Unfortunately yes, not yet.
> various load balancers would need to do online DNSSEC signing
Can you please elaborate why that should be required?
Thanks,
Joachim
___
Nachricht-
Von: Viktor Dukhovni via Postfix-users
Gesendet: Freitag, 8. März 2024 22:44
An: postfix-users@postfix.org
Betreff: [pfx] Re: mta-sts and smtp_tls_security_level
On Fri, Mar 08, 2024 at 10:01:29PM +0100, Joachim Lindenberg via Postfix-users
wrote:
> Imho you get pretty cl
Imho you get pretty close to mta-sts if you use verify together with a
DNSSEC-validating resolver. You just validate the "authorized" MTAs by
different means.
I still think SMTP-DANE (RFC 7672) is preferrable.
Regards,
Joachim
-Ursprüngliche Nachricht-
Von: Michael W. Lucas via
-
Von: Bill Cole via Postfix-users
Gesendet: Montag, 12. Februar 2024 16:18
An: Joachim Lindenberg via Postfix-users
Betreff: [pfx] Re: postfix alternating between mail.example.com and real
hostname?
On 2024-02-12 at 07:07:03 UTC-0500 (Mon, 12 Feb 2024 13:07:03 +0100) Joachim
Lindenberg via
I haven´t seen this before, but at present my mail server is kind of
alternating between mail.example.com and the real hostname (or someone is
spoofing my IP-address which I doubt).
All configuration files I checked indicate the correct setting and postconf
myhostname returns the correct name.
Hello John,
are you willing to share what direction you/IETF are working towards?
What I am really missing is clear statements like SMTP-DANE, SPF, DKIM, DMARC
are mandatory unless you don´t use SMTP at all. While some public providers
support these, many German organizations do not.
Just
Emmanuel:
>Nginx is mainly a buffering HTTP proxy/reverse proxy and/or a HTTP TLS
>termination endpoint or raw N to 1 TCP proxy. ...
Nginx can also act very good as a mere TCP proxy with proxy protocol. I am not
terminating TLS on my VPS except for public websites served directly by the VPS.
Emmanuel,
please read the thread
https://www.mail-archive.com/postfix-users@postfix.org/msg100852.html from the
beginning. SOCKS5 was already considered as an alternative to proxy protocol.
If you want to bash nginx then please provide some substance. I am running
multiple instances of web
Emmanuel :
>That's crazy, If you're able to run a dedicated proxy instance, you're able to
>run an outboud postfix instance too: the perfect proxy software for
>smtp/postfix is postfix.
>Otherwise it means that you're trying to solve your use-case at the wrong
>level and that should be dealt at
Wietse:
>Obviously, nginx will not know the Postfix SMTP client protocol stage, and the
>nginx settings will have to match the largest
>Postfix timeouts to avoid persistent mail delivery problems with some sites.
>Settings optimal for Postfix may conflict with 'web' proxy usage.
There is no need
>A Postfix implementation will have to work for other use cases, too. It would
>be good to know how nginx in forward proxy mode handles or >ignores client
>address and port info, now and in the forseeable future.
I double checked documentation at
>This means that nginx ignores the source port in the proxy protocol.
>Is that documented somewhere?
It does not ignore it, the variable exists. My configuration doesn´t use it for
outbound, as plenty of ports are in used, and dynamic is ok for the use case.
Does postfix have a dependency on the
>Is there a technical spec of that protocol? Does it look in any way like
>HaProxy protocol version 1 or 2? What are the source IP address and port?
https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#:~:text=Enables%20the%20PROXY%20protocol
links to the expected suspect (HaProxy)...
>How is this used to connect to an arbitrary destination on the Internet?
This is probably nginx implementation specific, but one can configure a stream
proxy as follows:
stream {
server {
listen 10.200.200.1:12345 proxy_protocol;
proxy_bind [$proxy_protocol_addr];
Hello Wietse,
maybe I should tell I am using nginx for all my inbound proxy protocol needs
(HA is via multiple addresses in DNS), and my email test service uses proxy
protocol outbound as well. Before I picked proxy protocol for that use case I
checked SOCKS or HTTP proxies but perceived the
Hello Wietse,
Yes, exactly, no second instance. Ok, implies I haven´t overlooked something.
Is this an option you are willing to consider?
The key benefit to guys like me is that one doesn´t have to manage two
instances, considering setup and maintenance, configuration (like tls
policies),
I am running my postfix (mailcow) in my local network and interface to the
outside via a VPN that is terminated on a VPS with a static address with
adequate reputation. Historically I used NAT in both directions in- and
outbound, but I switched to use proxy protocol inbound as I am in fact now
I´d say Viktor is biased towards 3 1 1. You may call me biased towards 2 1 1
because I dislike pinning a key that is supposed to rotate.
In any case you need to automate updates or monitoring and I do, though the
relevant "change" use case in 2 1 1 didn´t happen so far.
Joachim
>> Thunderbird "advertises" end-to-end-encryption only and confuses users
>> that actually use/benefit from SMTP-DANE where it tells "unencrypted".
>IMHO correctly. Email that isn't end-to-end encrypted *is* actually
>unencrypted in transit. TLS encrypts transmission only, but the message is
e Venema via Postfix-users
Gesendet: Freitag, 13. Oktober 2023 20:10
An: Postfix users
Betreff: [pfx] Re: SMTP Require TLS Option?
Joachim Lindenberg via Postfix-users:
> Hello,
>
> are there any ideas or plans to implement SMTP Require TLS Option (RFC 8689)
> in postfix?
Hello,
are there any ideas or plans to implement SMTP Require TLS Option (RFC 8689) in
postfix?
I am aware of that in order to really leverage that, one needs a MUA using it,
plus a MTA supporting SMTP-DANE (RFC 7672) or MTA-STS (RFC 8461), but sure I
may be missing something.
Thanks,
I remember there was the goal to use DANE for the mailing list, but I wonder
whether or to what extend that has been achieved.
Can someone please clarify?
Thanks,
Joachim
___
Postfix-users mailing list -- postfix-users@postfix.org
To
Price is not the only question. If you have or want to comply with GDPR, you
have to pick one not under U.S. jurisdiction, and these are rare.
In fact, a VPS that does VPN is imho the best option and usually a lot cheaper
than a static IP address for your residential line. You can then host your
my understanding is, ISPs don´t block you, but none of the big providers
accepts emails from IPs of access networks. Thus if you want to run an email
server at home, you need either a relay, a VPS or a VPN with an IP address
having good reputation. Historically some ISP offered a relay, but
A more quick and dirty option is to configure transport policy "verify" for any
mta-sts destinations (I am doing this in a script).
That doesn´t really check the mx one connects to are enumerated, but at least
the certificate validation part of mta-sts will prevent connections to
arbitrary
to decide on
her/his own.
Cheers,
Joachim
-Ursprüngliche Nachricht-
Von: raf via Postfix-users
Gesendet: Samstag, 20. Mai 2023 00:53
An: postfix-users@postfix.org
Betreff: [pfx] Re: DANE and DNSSEC
On Thu, May 18, 2023 at 08:54:16PM +0200, Joachim Lindenberg via Postfix-users
wrote
Hello Byung-Hee ,
for testing you may want to try https://blog.lindenberg.one/EmailSecurityTest.
Best Regards,
Joachim
-Ursprüngliche Nachricht-
Von: Byung-Hee HWANG via Postfix-users
Gesendet: Mittwoch, 17. Mai 2023 10:16
An: Postfix-users
Betreff: [pfx] Re: DANE and DNSSEC
Now i
For Letsencrypt certificates I´d definitely go with 2 1 1
8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D and optionally
the R4 derivate and add their successors when these are about to expire, rather
than 3 1 1 and change every two months.
Best Regards,
Joachim
DNSSEC is mandatory for DANE.
Greetings,
Joachim
-Ursprüngliche Nachricht-
Von: Byung-Hee HWANG via Postfix-users
Gesendet: Donnerstag, 11. Mai 2023 08:17
An: Postfix Users
Betreff: [pfx] DANE and DNSSEC
Hellow Postfix hackers,
I have a questions while reading DANE docs. Is DNSSEC
Hello,
is Baknu, the author of https://github.com/baknu/DANE-for-SMTP around here? Or
does someone know her/his personal email address and can forward this message
as I´d like to get in contact?
Thanks,
Joachim
___
Postfix-users mailing list --
37 matches
Mail list logo
